snakeyaml upgrade
magicprinc opened this issue · comments
Andrej Fink commented
org.yaml:snakeyaml:1.30
is old and has 7 vulnerabilities
Is it time to upgrade?
Roberto Cortez commented
Are you on an old version of Smallrye Config?
We updated to 2.2 in 3.5.0:
#985
Andrej Fink commented
Crazy situation!
I have had io.smallrye.config:smallrye-config-source-yaml:3.8.1
, but org.yaml:snakeyaml:1.30
.
Spring Boot 2 Gradle plugin has somehow been forcing 1.30.
But IDEA Gradle dependency inspector was showing 1.30 was coming from Smallrye Config.
I have explicitly added dependency org.yaml:snakeyaml:2.2
to fix this.
Sorry and thank you!